1160d63430a630e5361dda5a78039c020ada1d33990a0829d50b82002099d143

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 20:58

Target

1c54a4b94e5b8bc8642e8cb59e4ffb7f.dll
Size

17KB
MD5

1c54a4b94e5b8bc8642e8cb59e4ffb7f
SHA1

4c58f8af279c459b392d4a51159f2c34635988af
SHA256

1160d63430a630e5361dda5a78039c020ada1d33990a0829d50b82002099d143
SHA512

800740dce0d5a7a15b42531c7d0276ee98a0cf9fbaf39a2bb4e1b37db6f3d13c85952fc2b14c0067be67e3f627885b8ea142db9041ab6e67bcbdc075b1f41c5a
SSDEEP

384:B39/gEaUui7e6QCi50liGtwAuFphYGVTFmPwL:Bt/5aUR6NCi50l0x7CGdF0wL

Score

7^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2264-1-0x0000000010000000-0x0000000010010000-memory.dmp	upx
behavioral1/memory/2264-0-0x0000000010000000-0x0000000010010000-memory.dmp	upx

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2264	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2264	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2264	1724	rundll32.exe	28
PID 1724 wrote to memory of 2264	1724	rundll32.exe	28
PID 1724 wrote to memory of 2264	1724	rundll32.exe	28
PID 1724 wrote to memory of 2264	1724	rundll32.exe	28
PID 1724 wrote to memory of 2264	1724	rundll32.exe	28
PID 1724 wrote to memory of 2264	1724	rundll32.exe	28
PID 1724 wrote to memory of 2264	1724	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c54a4b94e5b8bc8642e8cb59e4ffb7f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c54a4b94e5b8bc8642e8cb59e4ffb7f.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2264

memory/2264-1-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2264-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download